Detect System Services in Splunk
This detection identifies adversaries abusing Windows services, Linux systemd units, and macOS launchd daemons to execute malicious code. Attackers commonly leverage sc.exe, net start, PsExec, systemctl, and launchctl to create or start services that run attacker-controlled binaries. Indicators include services with suspicious binary paths (temp directories, user profile paths, UNC paths), service names mimicking legitimate system services, new service installations from unusual parent processes (cmd.exe, powershell.exe, wscript.exe), and service creations from non-standard accounts. This technique is frequently chained with lateral movement and persistence techniques to achieve remote code execution or maintain footholds across reboots.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1569 System Services
- Canonical reference
- https://attack.mitre.org/techniques/T1569/
SPL Detection Query
(
index=* (sourcetype="WinEventLog:System" EventCode=7045)
OR (sourcetype="WinEventLog:Security" EventCode=4697)
)
| eval ServiceName=coalesce(ServiceName, service_name),
ImagePath=coalesce(ImagePath, image_path, param1),
ServiceAccount=coalesce(ServiceAccount, service_account)
| eval suspicious_path=if(
match(ImagePath, "(?i)(\\\\temp\\\\|\\\\users\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\public\\\\|%temp%|%appdata%)"),
1, 0)
| eval unc_path=if(match(ImagePath, "^\\\\\\\\[0-9]{1,3}\\."), 1, 0)
| eval lolbin_service=if(
match(ImagePath, "(?i)(certutil|bitsadmin|mshta|regsvr32|rundll32|wmic)"),
1, 0)
| eval risk_score=suspicious_path*40 + unc_path*50 + lolbin_service*60
| where risk_score > 0
| table _time, host, EventCode, ServiceName, ImagePath, ServiceAccount, risk_score, suspicious_path, unc_path, lolbin_service
| sort - risk_score, -_time
| append
[search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\sc.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe")
(CommandLine="*create*" OR CommandLine="*start*" OR CommandLine="*binpath*" OR CommandLine="*config*")
| eval suspicious_parent=if(
match(ParentImage, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)"),
1, 0)
| eval suspicious_cmdline=if(
match(CommandLine, "(?i)(binpath\s*=\s*[^\"]*\\\\(temp|appdata|downloads|public|users)\\\\|cmd\.exe /c|powershell)"),
1, 0)
| where suspicious_parent=1 OR suspicious_cmdline=1
| eval risk_score=(suspicious_parent*30)+(suspicious_cmdline*40)
| table _time, host, Image, CommandLine, ParentImage, ParentCommandLine, User, risk_score]
| append
[search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\paexec.exe" OR Image="*\\remcom.exe")
| eval risk_score=80
| table _time, host, Image, CommandLine, ParentImage, User, risk_score]Detects service-based execution through two correlated searches: (1) Windows System/Security event logs for new service installations (EventCode 7045/4697) with suspicious binary paths, UNC paths, or LOLBin service executables, scored by risk; (2) Sysmon process creation events for sc.exe/net.exe invoked from suspicious parent processes or with suspicious command lines including PsExec-style execution.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software deployment tools (SCCM, PDQ Deploy) creating services as part of managed software installations
- Backup agents (Veeam, Commvault) that install temporary service components during backup jobs
- IT operations scripts run by administrators that use sc.exe or net.exe for legitimate service management
- Antivirus and EDR products that create services during installation or updates
- Windows Subsystem for Linux or virtualization software that registers kernel services
Other platforms for T1569
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Execute Malicious Service via sc.exe
Expected signal: SecurityEvent 7045 with ServiceName=AtomicTestSvc and ImagePath containing Temp directory; DeviceProcessEvents showing sc.exe with 'create' and 'binpath' in command line; parent process cmd.exe or PowerShell
- Test 2Remote Service Execution via PsExec Simulation
Expected signal: SecurityEvent 7045 on target host showing UNC path in ImagePath; Sysmon EventCode 3 (network) showing SMB connection to remote host; sc.exe process creation with remote hostname argument
- Test 3Linux Malicious Systemd Service Creation
Expected signal: Syslog or auditd entries showing systemctl execution; file creation event for /etc/systemd/system/atomic-test.service; bash process spawned by systemd with UID=0 executing id command
- Test 4Service Creation via PowerShell New-Service Cmdlet
Expected signal: SecurityEvent 7045 with ServiceName=PSAtomicTestSvc and ImagePath in %TEMP%; PowerShell ScriptBlock log EventID 4104 showing New-Service cmdlet; DeviceProcessEvents showing powershell.exe as initiating process for service creation API calls
References (9)
- https://attack.mitre.org/techniques/T1569/
- https://attack.mitre.org/techniques/T1569/001/
- https://attack.mitre.org/techniques/T1569/002/
- https://attack.mitre.org/techniques/T1569/003/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-7045
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
- https://www.cybereason.com/blog/research/cybereason-vs-darkside-ransomware
- https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
Unlock Pro Content
Get the full detection package for T1569 including response playbook, investigation guide, and atomic red team tests.